Source: OJ L, 2024/1689, 12.7.2024

Current language: EN

Article 22 Authorised representatives of providers of high-risk AI systems


Summary What does Article 22 of the AI act regulation say?

This article establishes the requirement for non-EU providers of high-risk AI systems to appoint an authorised representative established within the Union before placing their systems on the Union market.

It builds directly on the broader obligations set out for providers in Article 16, extending those obligations to the EU-based representative acting on their behalf.

The article details the tasks the authorised representative must be empowered to perform, including verifying compliance documentation, retaining key records for 10 years, cooperating with competent authorities, and handling registration obligations.

Notably, the mandate also gives the authorised representative the standing to be addressed by authorities in place of the provider.

The article also provides an exit mechanism, requiring the authorised representative to terminate the mandate and notify the relevant authorities if the provider is acting contrary to its obligations under the regulation.

Important points:

  • Third-country providers of high-risk AI systems must appoint a Union-established authorised representative by written mandate before entering the EU market.
  • The authorised representative is required to retain key compliance documents, including the EU declaration of conformity and technical documentation, for 10 years after the system is placed on the market or put into service.
  • The authorised representative must terminate the mandate and notify the relevant market surveillance authority if it has reason to consider the provider is acting contrary to its obligations under this regulation.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. Prior to making their high-risk AI systems available on the Union market, providers established in third countries shall, by written mandate, appoint an authorised representative which is established in the Union.

    1. The provider shall enable its authorised representative to perform the tasks specified in the mandate received from the provider.

    1. The authorised representative shall perform the tasks specified in the mandate received from the provider. It shall provide a copy of the mandate to the market surveillance authorities upon request, in one of the official languages of the institutions of the Union, as indicated by the competent authority. For the purposes of this Regulation, the mandate shall empower the authorised representative to carry out the following tasks:

      1. verify that the EU declaration of conformity referred to in Article 47 and the technical documentation referred to in Article 11 have been drawn up and that an appropriate conformity assessment procedure has been carried out by the provider;

      2. keep at the disposal of the competent authorities and national authorities or bodies referred to in Article 74(10), for a period of 10 years after the high-risk AI system has been placed on the market or put into service, the contact details of the provider that appointed the authorised representative, a copy of the EU declaration of conformity referred to in Article 47, the technical documentation and, if applicable, the certificate issued by the notified body;

      3. provide a competent authority, upon a reasoned request, with all the information and documentation, including that referred to in point (b) of this subparagraph, necessary to demonstrate the conformity of a high-risk AI system with the requirements set out in Section 2, including access to the logs, as referred to in Article 12(1), automatically generated by the high-risk AI system, to the extent such logs are under the control of the provider;

      4. cooperate with competent authorities, upon a reasoned request, in any action the latter take in relation to the high-risk AI system, in particular to reduce and mitigate the risks posed by the high-risk AI system;

      5. where applicable, comply with the registration obligations referred to in Article 49(1), or, if the registration is carried out by the provider itself, ensure that the information referred to in point 3 of Section A of Annex VIII is correct.

    2. The mandate shall empower the authorised representative to be addressed, in addition to or instead of the provider, by the competent authorities, on all issues related to ensuring compliance with this Regulation.

    1. The authorised representative shall terminate the mandate if it considers or has reason to consider the provider to be acting contrary to its obligations pursuant to this Regulation. In such a case, it shall immediately inform the relevant market surveillance authority, as well as, where applicable, the relevant notified body, about the termination of the mandate and the reasons therefor.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod